North Korea’s Hangman Malware Exploits South Korean Word Processor

Updated on

It looks like North Korean hackers have been at it again, this time going after their old foe South Korea by attacking a flaw in a word processor used by government offices.

Researchers at cyber security firm FireEye say hackers from North Korea exploited a zero day vulnerability in a popular South Korean word processing program to get access to government systems. Exactly what the attackers were after or what they actually achieved remains unclear.

FireEye’s Genwei Jiang and Josiah Kimble say the hackers went after the vulnerability (CVE-2015-6585) in the Hangul Word Processor, but a patch released last Monday fixes the vulnerability to the “Hangman” backdoor attack.

Cyber security experts point out that clear attribution of North Korean actors in this incident (and more generally) is difficult, however, the researchers note that the attack software command payloads and infrastructure have the “fingerprints” of previous attacks by hackers from North Korea’s notorious Bureau 121 hackers.

More on North Korea’s Hangman malware

Jiang and Kimble say that the hackers used similar software as other attacks which have been traced to North Korea. Another confirmatory factor is that the researchers were able to physically tie the attack to North Korea by identifying the command and control servers that were used.

The attackers used a backdoor named Hangman that can receive and send encrypted files and commands, as well as gather information about the network. The use of the Hangman backdoor exploit suggests it was the same command and control infrastructure used in a known North Korea attack earlier this summer called “Macktruck”.

The FireEye researchers also point out that the backdoor functions used in this attack have only been seen in another backdoor dubbed PeachPit, where North Korean hackers are also suspected.

Statement from FireEye researchers

FireEye’s recent report on the the newly found zero day exploit of the Hangul Word Processor notes: “While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye intelligence assesses that this activity may be associated with North Korea-based threat actors.”

The report continues to say:”This implies that PeachPit and Hangman were written by the same developers or, at minimum, share some of the same source code. Given that we have observed only limited use of backdoors such as PeachPit, it is reasonable to theorise that in addition to a common development history, the backdoors may be used by the same or closely related threat actors.”

North Korea threatened “cyber war” against U.S. over failed Stuxnet attack

As reported by ValueWalk earlier this summer, Rodong Sinmun, North Korea’s largest daily newspaper, published an article claiming North Korea planned to wage a cyber-war against the U.S. to “hasten its ruin” to get revenge for an attempt to damage North Korean government networks with the Stuxnet virus.

“It is the firm determination of the DPRK to wage Korean-style cyber war to hasten the final ruin of the U.S. and the forces following it, who attempted to bring down the former with the cyber war,” the article noted.

“The U.S. is greatly mistaken if it thinks the DPRK will just overlook with folded arms the provocations in the cyber space,” the article continued.

Reuters reported in May that the U.S. had tried to sabotage North Korea’s nuclear weapons program back in 2010 with the Stuxnet virus. The hack was designed to be similar to the Stuxnet attack that drastically slowed Iran’s nuclear program by damaging the software for the centrifuges used to concentrate uranium to make nuclear weapons.

Apparently, U.S. intelligence tried to use a version of Stuxnet that would be activated when it came across Korean-language settings. Unfortunately, the U.S. cyber-attack on North Korea did not work because the virus could not get access to North Korea’s nuclear program network because of the highly isolated nature of the rogue nation’s communications networks.

Keep in mind that Internet usage in North Korea is only allowed for high government officials, and only with permission from security authorities. The more well off among the ordinary folk of North Korea have access to a closed national intranet called the Kwangmyong where all content is approved by the government, but no access to the global Internet.

Leave a Comment